如何预授权访问 Http.InboundGateway？

Question

我知道可以将 @PreAuthorize 注释添加到 Rest Controller...

@RestController
public class WebController {
    @PreAuthorize("hasAuthority('Foo')")
    @GetMapping("/restricted")
    public ResponseEntity<String> restricted() {
        return ResponseEntity.ok("Restricted section");
    }
}

如何预授权访问 Spring 集成 Http.inbound 网关？我知道我可以在集成流程中添加一个组件，并在转换器或服务激活器方法上添加注释，但我不想为此创建一个单独的对象。

@Bean
//@PreAuthorize("hasAuthority('Foo')") ?
public HttpRequestHandlingMessagingGateway restrictedGateway() {
    return Http.inboundGateway("/restricted")
            ...
            .get();
}

@Bean
public IntegrationFlow myFlow(HttpRequestHandlingMessagingGateway restrictedGateway) {
    return IntegrationFlows
            .from(restrictedGateway)
            .transform(source -> "Restricted section")
            .get();
}

Answer 1

我认为你是对的，通过查看 https://docs.spring.io/spring-integration/reference/html/security.htm 它允许声明频道 @Secured
即使我们在没有集成的普通 spring 启动应用程序上考虑 spring 安全性，它也处于过滤器级别，所以我认为它似乎有意义 HttpRequestHandlingMessagingGateway 作为 http 请求的侦听器

你能试试吗

    @Bean
    @SecuredChannel(interceptor = "channelSecurityInterceptor", sendAccess = "ROLE_XXX")
    public SubscribableChannel secureChannel() {
        return new DirectChannel();
    }

    @Bean
    public IntegrationFlow myFlow(HttpRequestHandlingMessagingGateway 
                                  restrictedGateway) {
    return IntegrationFlows
            .from(restrictedGateway)
            .channel(secureChannel())
            .transform(source -> "Restricted section")
            .get();
}

如何预授权访问 Http.InboundGateway？

How to preauthorize access to a Http.InboundGateway?

spring-security

spring-integration

spring-integration-dsl

spring-integration-http